On Thursday, February 21, 2013 02:05:37 PM Murray S. Kucherawy wrote:
> On Thu, 21 Feb 2013, Scott Kitterman wrote:
> > Feb 21 15:30:13 mailout02 opendkim[1740]: 231D920E4061:
> > mailout03.controlledmail.com [208.43.65.50] not internal
> > Feb 21 15:30:13 mailout02 opendkim[1740]: 231D920E4061: not authenticated
> > Feb 21 15:30:13 mailout02 opendkim[1740]: 231D920E4061: external host
> > mailout03.controlledmail.com attempted to send as kitterman.com
> > Feb 21 15:30:13 mailout02 opendmarc[1751]: 231D920E4061: pass
> >
> > There is nothing from opendkim about the actual verification process. In
> > my view, the fact that an external host is sending using a domain that
> > this host also signs for and is not authenticated is not relevant to
> > anything. Not internal isn't very useful either. I'd think those kinds
> > of things should be reserved for debug logging. Regular logging should
> > report actual program errors and optionally (I think default on)
> > signature results.
>
> Regular logging does. "LogWhy" is a specific debugging flag. I don't
> normally run with it enabled. It's intended to be used when your filter
> isn't signing and you can't figure out why; when things are operating
> normally, that information isn't useful to log.
OK. I took that out. Now it just logs:
opendkim[5199]: C83BB20E4061: external host mailout03.controlledmail.com
attempted to send as kitterman.com
Which is not particularly useful (even more so when there's no other
information in the log). Lots of domains have multiple MTAs, so I don't think
this is a very interesting fact. I do think a log entry similar to
opendmarc's (but with the domain) would be good as a standard item.
> > As an aside (I know this is the wrong list), it would be nice if
> > opendmarc would include the domain in addition to the result.
>
> Please open a feature request for that one.
Done.
https://sourceforge.net/p/opendmarc/tickets/41/
Scott K
Received on Thu Feb 21 2013 - 22:15:19 PST